Healthcare Cybersecurity in 2026: The Threats Hitting US Hospitals and How to Stop Them

The healthcare industry is facing a rapid fire of security threats as ransomware attacks become more common, crippling the industry’s ability to remain resilient and provide care to patients.

The cyber threat profile that makes healthcare uniquely vulnerable

In Q1 2026, healthcare organisations recorded 120 ransomware attacks with average ransom demands surging to $16.9 million, up from $577,800 the previous quarter. 99% of US hospitals now manage devices that contain known, exploited vulnerabilities, and the average breach takes 241 days to identify and contain. As AI cybercrime becomes more prominent and accessible, these attacks will continue to grow.

Ransomware attacks against healthcare practices, clinics and specialty groups surged 36% year-over-year in late 2025, and double-extortion tactics, encrypting data while simultaneously stealing patient records for leverage — are now standard in 96% of cases. Comparitech documented 445 ransomware attacks on healthcare providers in 2025, while attacks on healthcare businesses including pharmaceutical manufacturers, medical billing companies and health tech firms increased 25% to 191 incidents.

The scale of unpreparedness makes this worse. ORDR’s 2026 Healthcare Cybersecurity Statistics Report found that 99% of hospitals manage devices containing known, exploited vulnerabilities, and the average breach takes 241 days to identify and contain — giving attackers more than eight months of undetected access.

Healthcare organisations are a high-value target because of what they hold. Patient records, electronic health records with limited security controls, legacy systems that cannot be easily patched, and staff operating under clinical pressure create conditions that attackers understand and exploit deliberately.

What kinds of cyberattacks are most common in the healthcare industry?

According to reports, in 2025 the most common cyberattacks in the healthcare sector were:

• Cloud compromise: hackers gain entry into an organisation’s IT cloud infrastructure, exploiting misconfigured storage and access controls to reach patient records and clinical data.
• Ransomware : a threat actor spreads malicious software to encrypt data and extort funds — now using double-extortion tactics in 96% of healthcare cases, simultaneously stealing records to increase leverage.
• Attaques de la chaîne d'approvisionnement : cybercriminals infiltrate an organisation by exploiting vulnerabilities in third-party vendors or service providers, as seen in the Episource breach that exposed 5.4 million patient records through a single billing vendor.
• Business email compromise (BEC): scammers use a spoofed email address or compromised account to trick employees into initiating a fraudulent money transfer, with AI now generating convincing impersonations of hospital executives and finance teams.

Ransomware makes it easy for threat actors to attack

Ransomware as a Service (RaaS) has become more commonly used by threat actors due to the low cost and little technical expertise needed.

Threat actors use malicious software to encrypt files, causing disruptions for healthcare providers. When sensitive data is lost to hackers, healthcare professionals cannot access the necessary information needed for treatment.

According to a joint study by Proofpoint and the Ponemon Institute, nearly three in four US healthcare organisations report that cyberattacks have disrupted patient care, with about half reporting increased medical procedure complications and longer patient stays, and nearly one in three linking cyber incidents to higher mortality rates. The FBI’s April 2026 Internet Crime Report confirmed healthcare was the number one targeted sector in 2025, with 460 ransomware attacks and 182 data breaches recorded.

Business email compromises are a “billion-dollar scam”

According to the FBI, business email compromises (BEC) are a billion-dollar scam costing the industry financially and in their ability to provide care to patients. BEC scams have increased by 1,300% since 2015, becoming the preferred attack method by most cybercriminals.

BEC attacks are a type of spear-phishing attack that aims to extort funds from the organization. Once a scammer infiltrates a legitimate email, they can trick employees into handing over thousands by pretending to be a CEO or CFO. Threat actors usually conduct detailed research about their targets beforehand, making it difficult to filter out cybersecurity threats.

In one study, 62% of participants ranked BEC incidents as their top cybersecurity concern yet only 45% of respondents had implemented response strategies to these kinds of attacks.

Supply chain attacks in the healthcare sector threaten lives

Healthcare organizations rely on an interconnected web of third parties to provide service and care to patients. This can span anywhere from cloud service providers to orchestrate internal procedures to electronic health record vendors and third-party labs.

Once threat actors gain entry and begin disrupting the supply chain, providers are unable to provide care in the usual ways, posing a grave threat to life.

When healthcare organizations were surveyed about supply chain attacks, 50% stated that the attack escalated the severity of an illness, while 48% confirmed that the attack resulted in prolonged hospital stays.

How do security breaches occur in the healthcare industry?

The spike in cybercrime led the Attorney General in 2023 to enforce consequences for HIPAA violations. After an investigation, it was discovered that most healthcare institutions did not adequately protect sensitive data, violating the HIPAA Security Rule that requires physicians to protect electronically stored patient data.

The majority of cases showed a lack of reasonable and appropriate security measures such as multifactor authentication (MFA), access controls, encryption, security testing, data logging and monitoring, data retention, and up-to-date asset inventories.

• Healthplex in New York was fined $400,000 for failing to implement MFA, security measures for data logging, and failing to perform data security assessments.
• Telehealth company Cerebral Inc. was fined $3.1 million for using a Pixel to track customers on its website, sending the transferred HIPAA-protected data of its customers to third parties such as Meta (Facebook), Google, TikTok, and others.
• Broomfield Skilled Nursing and Rehabilitation Center in Colorado was fined $60,000 for using email forwarding to send sensitive emails to an external email address.

The recent healthcare data breaches below illustrate how healthcare providers are failing to adequately protect patients from threat actors. Basic cybersecurity practices are simply unknown or ignored, threatening patient safety.

When ransomware limited blood supply to hospitals

OneBlood, a blood centre that services hundreds of hospitals in the southeastern US, was hit by a ransomware attack in July 2024. The attack temporarily shut down internal systems, causing staff to quickly move to manual methods of distributing blood, affecting the supply to hospitals. Hospitals responded by implementing a blood conservation process after the attack, but it took days for hospitals to begin receiving their usual quantity of blood for patients.

A ransomware attack shut down pharmacies

Ascension Healthcare, one of the largest health systems in the US, was hit by a ransomware attack in May 2024. They operate 140 hospitals across 19 states, affecting every part of the healthcare system. The attack forced pharmacies connected to Ascension in multiple states offline, with some resorting to accepting cash payments for prescriptions. In other areas, clinicians turned to regional pharmacies by fax or telephone to fill orders. In June 2024, it was revealed that the threat actors had also stolen the data of 5.6 million patients from electronic health records and Ascension’s patient portal.

A HealthEquity data breach exposed the Social Security numbers of 4.3 million people

HealthEquity, a US company that manages healthcare benefits such as health savings accounts, flexible spending accounts and health reimbursement arrangements, had patient data stolen from their systems in July 2024. The data stolen included patient names, addresses, telephone numbers, employee IDs, employer names, Social Security numbers, dependent information and payment card information. The threat actor entered the system through unauthorised third-party access to a data repository outside its core systems. The Office for Civil Rights confirmed the attack affected over 4.3 million people in the US.

Change Healthcare lost the data of 190 million patients to ransomware

In February 2024, Change Healthcare suffered a ransomware attack that encrypted files and stole the protected health information of 190 million patients. To date, this is the largest healthcare data breach ever recorded.

The attackers stole names, contact information, dates of birth, Social Security numbers and medical information from across the US. To avoid public backlash, Change Healthcare paid the $22 million ransom to release the stolen data, however the ransomware group BlackCat pocketed the ransom and did not return the data. After the ransomware took hold of internal systems, an outage prevented healthcare providers and health insurers from operating normally for several weeks, prompting an investigation from the Office of Civil Rights into HIPAA Security Rule compliance. Victims of the data breach subsequently issued a class action lawsuit against Change Healthcare, which is still ongoing.

A third-party billing vendor exposed 5.4 million patient records

Episource, a medical coding and risk adjustment firm owned by UnitedHealth Group subsidiary Optum, was hit by a ransomware attack in January 2025. Attackers spent ten days inside Episource’s systems before detection, silently exfiltrating approximately 6TB of protected health information belonging to 5.4 million patients — the second-largest healthcare breach reported to HHS in 2025. The stolen data included Social Security numbers, Medicare and Medicaid IDs, diagnoses, medications, test results and insurance details. By July 2025, at least 22 health systems had confirmed downstream exposure because Episource processes risk adjustment coding on their behalf. The breach was not the result of poor security at a hospital or insurer. It was a single vendor working quietly in the background.

A ransomware attack generated 200 patient lawsuits in Ohio

Kettering Health, a 14-hospital health system in Ohio, was struck by the Interlock ransomware group on May 20, 2025. The attack forced a system-wide shutdown of around 600 digital applications, cancelled all elective procedures on the day of the attack, took the call centre offline and pushed staff back to paper records, walkie-talkies and manual medication reconciliation. The Epic electronic health record system was not restored until June 2, and normal operations did not resume until June 10. The Interlock group exfiltrated 941GB of patient data and published it on the dark web when the ransom was not paid. More than 200 individual lawsuits have since been filed against Kettering Health — 37 alleging delayed treatment, eight alleging outright denial of care — with plaintiffs citing cancelled cancer screenings, delayed prescriptions and appointments rescheduled months later, or never rescheduled at all.

Get in touch with our experts to overcome any healthcare security challenges

CybelAngel’s platform gives teams a holistic overview of anomalies and potential threats across all tools.